Looking for more information surrounding Risk Assessment? This is part two of a two-part series. Click here to read part one!
To perform a risk assessment you are trying to capture the likelihood a specific risk would be realized, independently how much of an impact that realization would have on the business, and what controls are performed either formally or informally.
Likelihood
The first step to assessing a specific risk is to consider how likely the risk is to be realized in your current environment. Looking at past performance, and industry peers, is a good way to start this step. Considerations to take into account may include:
- Is the affected process very complex?
- How often is the process performed?
- Is this something that is public-facing?
- Is this a workflow that is regularly in a state of change?
Impact
Once you have an established Likelihood for the risk, the second step is to consider the impact that would be felt by business if this risk were realized. It’s important to remember that the likelihood and impact should be separate factors - something shouldn’t have a higher impact because it is more likely. When considering the impact for a risk, try to use these considerations:
- What type of impact would this be? Financial? Reputational? Would there be regulatory impact?
- Depending on the types of impacts, try to quantify the vector. This can be difficult trying to think of “what ifs”, but research on similar incidents within your industry can be illuminating here
- Try to avoid rating this based on the controls you currently perform to mitigate this specific risk. There is a separate step for this next
Controls
The final step is to inventory the controls being performed to mitigate this risk. It is important to catalog these controls and their effectiveness so that if the risk landscape changes, or the controls themselves, you can be aware and update ratings accordingly. When considering controls and their effectiveness, to think of these components:
- Automated vs. Manual - automated controls will perform without intervention, and are much more effective
- Preventive vs. Detective - controls that are preventive “stop” a risk, where controls that are detective “spot” a risk. This distinction is critical in effectiveness
- Dependent and directive controls - some controls may depend on others to be performed, and you may not have complete knowledge of their performance. Other controls may be prescribed to other parties to perform, with limited insight into performance as well. These considerations are very relevant in cloud computing environments
Putting it all together
Once you’ve assessed the three main factors it's time to put it all together and determine a risk rating. The combination of likelihood and impact is called the Inherent Risk, and illustrates how likely a risk is to be realized in the absence of dedicated controls. The inherent risk also serves as a “worst case scenario” for the risk score.
Likelihood * Impact = Inherent Risk
From the inherent risk you can moderate the risk rating lower based on the effectiveness of controls. There are many ways to perform this, but it is common to assign a scale of effectiveness for controls, and remove some percentage of the inherent risk based on a level that is appropriate for your organization. This final risk value is your Residual Risk.
Inherent Risk * Control Effectiveness = Residual Risk
Grid models
Most scoring systems leverage a grid model to show input values and output values, and then can be used to determine a heatmap for a final score. The number of bands for likelihood and impact determine the size of the grid, and there are pluses and minuses for different sizes. Larger grids offer more granularity, while smaller grids offer more clarity.
For smaller organizations or ones new to risk management, a 5x5 grid with likelihood and impact values correlating to even numbers can make for the clearest communication of risk, since the most dramatic outcomes align with a round 100.
As covered in the first post on the topic, an established risk tolerance and appetite should inform the correlation of values to final outcomes. The number that defines a high risk is established by how far outside of the risk appetite it is, based on the risk tolerance.
Conclusion
There are many ways to choose to score risks, each with pros and cons. What is important is that you assess the risk profile of your organization in a way that fits your organization's size and goals, and that you can use that assessment to drive results. The process you adopt should be defensible in its approach, and repeatable in its format. Speedly takes risk very seriously, and has a mature and well defined security culture because of this. The effort to create or grow your risk assessment program is great, but the journey is worthwhile.